From owner-freebsd-java@FreeBSD.ORG Mon Sep 28 10:21:44 2009 Return-Path: Delivered-To: freebsd-java@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A7B4D1065672 for ; Mon, 28 Sep 2009 10:21:44 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id 9E7828FC1C for ; Mon, 28 Sep 2009 10:21:43 +0000 (UTC) Received: from phenom.cordula.ws (phenom [192.168.254.60]) by fw.farid-hajji.net (Postfix) with ESMTP id 7C9BF36ED6; Mon, 28 Sep 2009 12:10:50 +0200 (CEST) Date: Mon, 28 Sep 2009 12:10:48 +0200 From: cpghost To: Greg Lewis Message-ID: <20090928101048.GA1189@phenom.cordula.ws> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-questions@freebsd.org, freebsd-java@freebsd.org Subject: java/jdk16 vulnerability? X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2009 10:21:44 -0000 [Sorry for resending: I didn't get any replies] Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system complains about an old and vulnerable Java version: Your installed version of Java is vulnerable to a severe remote exploit (remote code execution!). You must upgrade to at least Java 5 update 20 or Java 6 update 15 as soon as possible. Freenet has disabled any plugins handling XML for the time being, but this includes searching and chat so you should upgrade ASAP! See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details. Also, please do not use Thaw or Freetalk. The UPnP plugin is enabled, it might present a risk if you have bad guys on your LAN, but without it Freenet will not be able to port forward and will have severe problems. I'm running java/jdk16: phenom# java -version java version "1.6.0_03-p4" Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00) Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode) On 7.2-STABLE: phenom# uname -a FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep 8 10:43:26 CEST 2009 root@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC amd64 Is that version of Java really vulnerable? If yes, why doesn't # portaudit -Fda report it as such, and could you please update the java/jdk16 port? Thanks, -cpghost. -- Cordula's Web. http://www.cordula.ws/